18

I use the gorbin/ASNE SDK in my app. I recently received an email from Google with the following subject : "Google Play Warning: SSL Error Handler Vulnerability". In this email, Google explains that my app has an ["unsafe implementation of the WebViewClient.onReceivedSslError handler"]

and they recommended me to ["To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise"]

here's my implementation of the method : 

   public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
                handler.proceed();
            }

any help please ?

Atef Daoud
  • 349
  • 1
  • 2
  • 9
  • 1
    There are lots of similar questions, please [have a look first](http://stackoverflow.com/search?tab=newest&q=onReceivedSslError). – Steffen Ullrich Mar 01 '16 at 11:11

3 Answers3

28

To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

    @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

After this changes it will not show warning. Reference

Johnny Five
  • 987
  • 1
  • 14
  • 29
Anant Shah
  • 3,744
  • 1
  • 35
  • 48
  • Applications are advised not to prompt the user about SSL errors, as the user is unlikely to be able to make an informed security decision and WebView does not provide any UI for showing the details of the error in a meaningful way. – Kaushik Burkule Feb 08 '21 at 13:41
13

the solution is to remove onReceivedSslError.

bluish
  • 26,356
  • 27
  • 122
  • 180
Atef Daoud
  • 349
  • 1
  • 2
  • 9
  • I followed by this commit: https://github.com/gorbin/ASNE/commit/85dadbfd7b31346b11ce642d4224e12561c8b169. – Phien Tram Mar 03 '16 at 07:55
  • 3
    But then your webview will show nothing if the website ssl certificate has problem. No content or warning shown to user – Tam Huynh Nov 25 '19 at 02:39
1

I was using backendless library old version compile 'com.backendless:backendless:3.0.11' so i update to latest version compile 'com.backendless:backendless:3.0.24' and issue solved.

varotariya vajsi
  • 3,965
  • 37
  • 39